<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "DTD/xhtml1-strict.dtd">
<html>
  <head>
    <title>volatility.plugins.malware.apihooks.ApiHooks.check_wsp : API documentation</title>
    <meta content="text/html;charset=utf-8" http-equiv="Content-Type" />
    <link href="apidocs.css" type="text/css" rel="stylesheet" />
    
    
  </head>
  <body>
    <h1 class="method">v.p.m.a.A.check_wsp(self, addr_space, module, module_group) : method documentation</h1>
    <p>
      <span id="part">Part of <a href="volatility.html">volatility</a>.<a href="volatility.plugins.html">plugins</a>.<a href="volatility.plugins.malware.html">malware</a>.<a href="volatility.plugins.malware.apihooks.html">apihooks</a>.<a href="volatility.plugins.malware.apihooks.ApiHooks.html">ApiHooks</a></span>
      
      
    </p>
    <div>
      
    </div>
    <div>Check for hooks of non-exported WSP* functions. The
mswsock.dll module contains a global variable which
points to all the internal Winsock functions. We find
the function table by the reference from the exported
WSPStartup API.</p>
<p>.text:6C88922E 8B 7D 50          mov     edi, [ebp+lpProcTable]
.text:6C889231 6A 1E             push    1Eh
.text:6C889233 59                pop     ecx
.text:6C889234 BE 40 64 8B 6C    mov     esi, offset _SockProcTable
.text:6C889239 F3 A5             rep movsd</p>
<p>&#64;param addr_space: process AS</p>
<p>&#64;param module: the _LDR_DATA_TABLE_ENTRY for mswsock.dll</p>
<p>&#64;param module_group: a ModuleGroup instance for the process.<table class="fieldTable"></table></div>

    
    
    <div id="splitTables">
      
      
      
    </div>
    
    
    

    
    <address>
      <a href="index.html">API Documentation</a> for Volatility 2.2, generated by <a href="http://codespeak.net/~mwh/pydoctor/">pydoctor</a> at 2013-06-24 15:16:10.
    </address>
  </body>
</html>